profiles/sysadmin: move to Lix, purge journald to 512M, add GC/NGINX/net optimizations

This should reduce some churn. Signed-off-by: Ryan Lahfa <federez-infra@lahfa.xyz>
2024-08-08 18:23:25 +02:00 · 2024-08-08 18:23:25 +02:00 · 61ed6e9571
commit 61ed6e9571
parent 918610b56e
1 changed files with 41 additions and 1 deletions
--- a/profiles/sysadmin.nix
+++ b/profiles/sysadmin.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{ pkgs, lib, ... }: {
  users.users.root.openssh.authorizedKeys.keyFiles = [
    ../pubkeys/raito.keys
    ../pubkeys/bensmrs.keys
@ -6,10 +6,50 @@
    ../pubkeys/jeltz.keys
  ];

+  nix.package = lib.mkDefault pkgs.lix;
+
  users.motd = (builtins.readFile ./federez.motd);
  networking.firewall.logRefusedConnections = false;
  security.auditd.enable = true;

+  services.nginx = {
+    recommendedOptimisation = lib.mkDefault true;
+    recommendedTlsSettings = lib.mkDefault true;
+    recommendedProxySettings = lib.mkDefault true;
+    recommendedGzipSettings = lib.mkDefault true;
+    eventsConfig = ''
+      worker_connections 8192;
+    '';
+    appendConfig = ''
+      worker_rlimit_nofile 16384;
+    '';
+  };
+
+  services.journald.extraConfig = "SystemMaxUse=512M";
+
+  nix.gc = {
+    automatic = true;
+    persistent = true;
+    dates = lib.mkDefault "daily";
+    options = "--delete-older-than 30d";
+  };
+
+  boot.kernelParams = [
+    "panic=30" "boot.panic_on_fail"
+  ];
+
+  boot.kernel.sysctl = {
+    # Set default TCP congestion control algorithm
+    "net.ipv4.tcp_congestion_control" = "bbr";
+
+    # Enable ECN
+    "net.ipv4.tcp_ecn" = 1;
+
+    # Enable TCP fast open
+    "net.ipv4.tcp_fastopen" = 3;
+  };
+
+
  environment.systemPackages = [
    pkgs.htop
    pkgs.kitty.terminfo